Problem

• CVE-2025-24813 (Potential RCE and/or information disclosure and/or information corruption with partial PUT) vulnerability has been discovered affecting Apache Tomcat versions 9.0.98 and lower.

• Apache Tomcat is embedded in SecureTransport and used to serve the Administration Tool service and SecureTransport versions prior to 5.5-20250327 (Mar 2025) contain Tomcat version 9.0.98 or lower which may be flagged by security scanners.

SecureTransport versions 5.5-20250327 (Mar 2025) and higher are unaffected as they contain Tomcat version 9.0.102 or higher.

Resolution

Axway R&D analyzed the issue with the following result:

• SecureTransport current version and all supported previous versions are NOT vulnerable to CVE-2025-24813.

• Nevertheless, customers are advised to upgrade to 5.5-20250327 or higher to take advantage of the latest Java 21 and Tomcat security fixes and mechanisms.

Detailed analysis:

Under specific circumstances, successful exploitation allows attackers to execute code remotely on target systems via unsafe deserialization. The attack is described in the Apache Software Foundation's advisory.

Based on our analysis and those of other research firms, the conditions required for successful exploitation appear to be specific, non-default, and uncommon.

The issue is linked with the org.apache.catalina.servlets.DefaultServlet that is included with the Tomcat application server. This servlet is configured in ${CATALINA_HOME}/conf/web.xml and mapped to "/", serving files if no other servlet is mapped to an application. It allows only GET (read operations) by default but it can be configured to allow file uploads by explicitly adding a readonly=false clause in the settings.

In SecureTransport context, the case that an OS administrator has modified the web.xml is unlikely. The embedded Tomcat in SecureTransport is overwritten on every product update and not intended for manual configuration modifications or serving any other content than its dedicated purpose - to serve only the Administration Tool application with its preconfigured settings.

You can manually verify if such modification is in place.

Verification steps

Verify that these files:

• <FILEDRIVEHOME>/tomcat/conf/web.xml
• <FILEDRIVEHOME>/tomcat/admin/conf/web.xml
• <FILEDRIVEHOME>/tomcat/as2/conf/web.xml

do not include the following two lines in the DefaultServlet section:

<param-name>readonly</param-name>
<param-value>false</param-value>